@runsec/mcp 1.0.28 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/dist/data/.rag-cache.json +1 -0
  2. package/dist/data/skills/_exploit_overrides.json +16 -0
  3. package/dist/data/skills/advanced-agent-cloud/index.md +94 -0
  4. package/dist/data/skills/advanced-agent-cloud/patterns.md +46 -0
  5. package/dist/data/skills/advanced-agent-cloud/skill.json +38 -0
  6. package/dist/data/skills/app-logic/index.md +69 -0
  7. package/dist/data/skills/app-logic/patterns.md +23 -0
  8. package/dist/data/skills/app-logic/skill.json +24 -0
  9. package/dist/data/skills/auth-keycloak/index.md +69 -0
  10. package/dist/data/skills/auth-keycloak/patterns.md +46 -0
  11. package/dist/data/skills/auth-keycloak/skill.json +51 -0
  12. package/dist/data/skills/browser-agent/index.md +58 -0
  13. package/dist/data/skills/browser-agent/patterns.md +15 -0
  14. package/dist/data/skills/browser-agent/skill.json +24 -0
  15. package/dist/data/skills/cloud-secrets/index.md +66 -0
  16. package/dist/data/skills/cloud-secrets/patterns.md +19 -0
  17. package/dist/data/skills/cloud-secrets/skill.json +28 -0
  18. package/dist/data/skills/csharp-dotnet/index.md +103 -0
  19. package/dist/data/skills/csharp-dotnet/patterns.md +270 -0
  20. package/dist/data/skills/csharp-dotnet/skill.json +27 -0
  21. package/dist/data/skills/desktop-vsto-suite/index.md +202 -0
  22. package/dist/data/skills/desktop-vsto-suite/patterns.md +154 -0
  23. package/dist/data/skills/desktop-vsto-suite/skill.json +26 -0
  24. package/dist/data/skills/devops-security/index.md +64 -0
  25. package/dist/data/skills/devops-security/patterns.md +23 -0
  26. package/dist/data/skills/devops-security/skill.json +42 -0
  27. package/dist/data/skills/domain-access-management/index.md +123 -0
  28. package/dist/data/skills/domain-access-management/patterns.md +58 -0
  29. package/dist/data/skills/domain-access-management/skill.json +36 -0
  30. package/dist/data/skills/domain-data-privacy/index.md +98 -0
  31. package/dist/data/skills/domain-data-privacy/patterns.md +48 -0
  32. package/dist/data/skills/domain-data-privacy/skill.json +36 -0
  33. package/dist/data/skills/domain-input-validation/index.md +210 -0
  34. package/dist/data/skills/domain-input-validation/patterns.md +158 -0
  35. package/dist/data/skills/domain-input-validation/skill.json +24 -0
  36. package/dist/data/skills/domain-platform-hardening/index.md +169 -0
  37. package/dist/data/skills/domain-platform-hardening/patterns.md +96 -0
  38. package/dist/data/skills/domain-platform-hardening/skill.json +27 -0
  39. package/dist/data/skills/ds-ml-security/patterns.md +137 -0
  40. package/dist/data/skills/fastapi-async/index.md +83 -0
  41. package/dist/data/skills/fastapi-async/patterns.md +329 -0
  42. package/dist/data/skills/fastapi-async/skill.json +32 -0
  43. package/dist/data/skills/frontend-react/index.md +26 -0
  44. package/dist/data/skills/frontend-react/patterns.md +226 -0
  45. package/dist/data/skills/frontend-react/skill.json +24 -0
  46. package/dist/data/skills/go-core/index.md +86 -0
  47. package/dist/data/skills/go-core/patterns.md +272 -0
  48. package/dist/data/skills/go-core/skill.json +22 -0
  49. package/dist/data/skills/hft-cpp-security/patterns.md +37 -0
  50. package/dist/data/skills/index.md +73 -0
  51. package/dist/data/skills/infra-k8s-helm/index.md +138 -0
  52. package/dist/data/skills/infra-k8s-helm/patterns.md +279 -0
  53. package/dist/data/skills/infra-k8s-helm/skill.json +41 -0
  54. package/dist/data/skills/integration-security/index.md +73 -0
  55. package/dist/data/skills/integration-security/patterns.md +132 -0
  56. package/dist/data/skills/integration-security/skill.json +30 -0
  57. package/dist/data/skills/java-enterprise/index.md +31 -0
  58. package/dist/data/skills/java-enterprise/patterns.md +816 -0
  59. package/dist/data/skills/java-enterprise/skill.json +26 -0
  60. package/dist/data/skills/java-spring/index.md +65 -0
  61. package/dist/data/skills/java-spring/patterns.md +22 -0
  62. package/dist/data/skills/java-spring/skill.json +23 -0
  63. package/dist/data/skills/license-compliance/index.md +58 -0
  64. package/dist/data/skills/license-compliance/patterns.md +12 -0
  65. package/dist/data/skills/license-compliance/skill.json +28 -0
  66. package/dist/data/skills/mobile-security/patterns.md +42 -0
  67. package/dist/data/skills/nodejs-nestjs/index.md +71 -0
  68. package/dist/data/skills/nodejs-nestjs/patterns.md +288 -0
  69. package/dist/data/skills/nodejs-nestjs/skill.json +24 -0
  70. package/dist/data/skills/observability/index.md +68 -0
  71. package/dist/data/skills/observability/patterns.md +22 -0
  72. package/dist/data/skills/observability/skill.json +26 -0
  73. package/dist/data/skills/php-security/patterns.md +202 -0
  74. package/dist/data/skills/ru-regulatory/index.md +72 -0
  75. package/dist/data/skills/ru-regulatory/patterns.md +28 -0
  76. package/dist/data/skills/ru-regulatory/skill.json +53 -0
  77. package/dist/data/skills/ruby-rails/index.md +65 -0
  78. package/dist/data/skills/ruby-rails/patterns.md +172 -0
  79. package/dist/data/skills/ruby-rails/skill.json +24 -0
  80. package/dist/data/skills/rust-security/patterns.md +152 -0
  81. package/dist/data/trufflehog-config.yaml +407 -0
  82. package/dist/index.js +3830 -400
  83. package/package.json +2 -3
package/dist/data/skills/fastapi-async/patterns.md ADDED
@@ -0,0 +1,329 @@
1
+ | ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник fix_template | Exploit scenario |
2
+ |---|---|---|---|---|---|---|
3
+ | FAS-001 | SlowAPI: неверный порядок декораторов `limit` | `@limiter.limit("2/minute")`<br>`@app.get("/test")`<br>`async def test(request: Request):`<br>` return "hi"` | `@app.get("/test")`<br>`@limiter.limit("2/minute")`<br>`async def test(request: Request):`<br>` return "hi"` | Python/FastAPI | `SlowApi Documentation, FastAPI > Note: route decorator must be above the limit decorator, not below it` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-001 slowapi неверный порядок декораторов limit limiter 2 minute app get test async def request return hi -->
4
+ | FAS-002 | SlowAPI: endpoint без `request: Request` | `@app.get("/limited")`<br>`@limiter.limit("5/minute")`<br>`async def limited() -> dict[str, str]:`<br>` return {"status": "ok"}` | `@app.get("/limited")`<br>`@limiter.limit("5/minute")`<br>`async def limited(request: Request) -> dict[str, str]:`<br>` return {"status": "ok"}` | Python/FastAPI | `SlowApi Documentation, Limitations and known issues > Request argument` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-002 slowapi endpoint без request app get limited limiter limit 5 minute async def dict str return status ok -->
5
+ | FAS-003 | SlowAPI: нет `response` при необходимости модификации заголовков | `@app.get("/mars")`<br>`@limiter.limit("5/minute")`<br>`async def homepage(request: Request):`<br>` return {"key": "value"}` | `@app.get("/mars")`<br>`@limiter.limit("5/minute")`<br>`async def homepage(request: Request, response: Response) -> dict[str, str]:`<br>` return {"key": "value"}` | Python/FastAPI | `SlowApi Documentation, Limitations and known issues > Response type` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-003 slowapi нет response при необходимости модификации заголовков app get mars limiter limit 5 minute async def homepage request return key -->
6
+ | FAS-004 | SQLi: интерполяция значений в SQL (без `:param`) | `query = f"INSERT INTO HighScores(name, score) VALUES ('{name}', {score})"`<br>`await database.execute(query=query)` | `query = "INSERT INTO HighScores(name, score) VALUES (:name, :score)"`<br>`values = {"name": name, "score": score}`<br>`await database.execute(query=query, values=values)` | Python/FastAPI | `EncodeDatabases, contributing > Insert some data` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий подставляет в SQL значения через f-string/конкатенацию; при отсутствии параметризации выполняет произвольный SQL (CWE-89). | <!-- semantic_anchor: fas-004 sqli интерполяция значений в sql без param query f insert into highscores name score values await database execute -->
7
+ | FAS-005 | SQLi: конкатенация строк в SQL (без `:param`) | `query = "INSERT INTO HighScores(name, score) VALUES ('" + name + "', " + str(score) + ")"`<br>`await database.execute(query=query)` | `query = "INSERT INTO HighScores(name, score) VALUES (:name, :score)"`<br>`values = {"name": name, "score": score}`<br>`await database.execute(query=query, values=values)` | Python/FastAPI | `EncodeDatabases, contributing > Insert some data` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий подставляет в SQL значения через конкатенацию строк; при отсутствии bind-параметров выполняет произвольный SQL (CWE-89). | <!-- semantic_anchor: fas-005 sqli конкатенация строк в sql без param query insert into highscores name score values str await database execute -->
8
+ | FAS-006 | Transaction Leak: несколько `execute()` без `async with database.transaction()` | `await database.execute(query=query1, values=values1)`<br>`await database.execute(query=query2, values=values2)` | `async with database.transaction(force_rollback=True):`<br>` await database.execute(query=query1, values=values1)`<br>` await database.execute(query=query2, values=values2)` | Python/FastAPI | `EncodeDatabases, tests_and_migrations > Test isolation / force-rollback transactions` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-006 transaction leak несколько execute без async with database await query query1 values values1 query2 values2 force rollback true -->
9
+ | FAS-007 | Missing `await` на async DB call | `database.execute(query=query, values=values)` | `await database.execute(query=query, values=values)` | Python/FastAPI | `EncodeDatabases, database_queries > Queries / Execute` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-007 missing await на async db call database execute query values -->
10
+ | FAS-008 | Global Client Reuse: создание `AsyncClient`/DB-коннекта внутри хендлера (Logic: strong) | `@app.get("/proxy")`<br>`async def proxy(url: str):`<br>` async with httpx.AsyncClient() as client:`<br>` r = await client.get(url)`<br>` return {"status": r.status_code}` | `app = FastAPI()`<br>`@app.on_event("startup")`<br>`async def startup() -> None:`<br>` app.state.http = httpx.AsyncClient(timeout=5.0)`<br>`@app.on_event("shutdown")`<br>`async def shutdown() -> None:`<br>` await app.state.http.aclose()`<br>`@app.get("/proxy")`<br>`async def proxy(url: str, request: Request):`<br>` r = await request.app.state.http.get(url)`<br>` return {"status": r.status_code}` | Python/FastAPI | `FastAPI Security Documentation (production-ready resource usage); OWASP API Security Top 10 (API4: Unrestricted Resource Consumption)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | DI dependency scope must be request-bounded; singleton mutable providers are forbidden for auth/tenant-sensitive state. | <!-- semantic_anchor: fas-008 global client reuse создание asyncclient db коннекта внутри хендлера app get proxy async def url str with httpx as r -->
11
+ | FAS-009 | Missing Timeouts: асинхронные сетевые вызовы без `timeout` | `async with httpx.AsyncClient() as client:`<br>` r = await client.get("https://api.example.internal/data")` | `timeout = httpx.Timeout(connect=2.0, read=5.0, write=5.0, pool=2.0)`<br>`async with httpx.AsyncClient(timeout=timeout) as client:`<br>` r = await client.get("https://api.example.internal/data", timeout=timeout)` | Python/FastAPI | `FastAPI Security Documentation (availability hardening); OWASP API Security Top 10 (API4: Unrestricted Resource Consumption)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-009 missing timeouts асинхронные сетевые вызовы без timeout async with httpx asyncclient as client r await get https api example internal -->
12
+ | FAS-010 | PII Leakage in Logs: логирование `Request`/секретных полей без маскирования | `@app.post("/login")`<br>`async def login(request: Request):`<br>` body = await request.json()`<br>` logger.info("raw_request=%s body=%s", request, body)`<br>` return {"ok": True}` | `def _mask(data: dict[str, object]) -> dict[str, object]:`<br>` masked = dict(data)`<br>` for key in ("password", "token", "access_token", "refresh_token", "email", "phone"):`<br>` if key in masked:`<br>` masked[key] = "***"`<br>` return masked`<br>`@app.post("/login")`<br>`async def login(request: Request):`<br>` body = await request.json()`<br>` logger.info("request_id=%s payload=%s", request.headers.get("x-request-id", "-"), _mask(body))`<br>` return {"ok": True}` | Python/FastAPI | `FastAPI Security Documentation (sensitive data handling); OWASP API Security Top 10 (API3: Broken Object Property Level Authorization / excessive data exposure)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-010 pii leakage logs логирование request секретных полей без маскирования app post login async def body await json logger info raw -->
13
+ | FAS-011 | Exposed Docs in Prod: Swagger/ReDoc включены в production | `app = FastAPI(title="HexVibe API")` | `def create_app(env: str) -> FastAPI:`<br>` is_prod = env == "prod"`<br>` return FastAPI(` <br>` title="HexVibe API",`<br>` docs_url=None if is_prod else "/docs",`<br>` redoc_url=None if is_prod else "/redoc",`<br>` openapi_url=None if is_prod else "/openapi.json",`<br>` )` | Python/FastAPI | `FastAPI Security Documentation (disable interactive docs in production); OWASP API Security Top 10 (API9: Improper Inventory Management)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-011 exposed docs prod swagger redoc включены в production app fastapi title hexvibe api def create env str is return url -->
14
+ | FAS-012 | Insecure CORS Policy: `allow_origins=["*"]` | `app.add_middleware(` <br>` CORSMiddleware,`<br>` allow_origins=["*"],`<br>` allow_credentials=True,`<br>` allow_methods=["*"],`<br>` allow_headers=["*"],`<br>`)` | `allowed_origins = [`<br>` "https://app.example.com",`<br>` "https://admin.example.com",`<br>`]`<br>`app.add_middleware(` <br>` CORSMiddleware,`<br>` allow_origins=allowed_origins,`<br>` allow_credentials=True,`<br>` allow_methods=["GET", "POST", "PUT", "DELETE"],`<br>` allow_headers=["Authorization", "Content-Type"],`<br>`)` | Python/FastAPI | `FastAPI Security Documentation (CORS); OWASP API Security Top 10 (API8: Security Misconfiguration)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-012 insecure cors policy allow origins app add middleware corsmiddleware credentials true methods headers allowed https example com admin get post -->
15
+ | FAS-013 | Pydantic Arbitrary Types: `arbitrary_types_allowed=True` в модели | `class RawModel(BaseModel):`<br>` dangerous: object`<br>` class Config:`<br>` arbitrary_types_allowed = True` | `class UploadMeta(BaseModel):`<br>` file_name: constr(min_length=1, max_length=255)`<br>` size: conint(ge=1, le=10_000_000)`<br>` content_type: Literal["image/png", "image/jpeg", "application/pdf"]`<br>` model_config = ConfigDict(extra="forbid", strict=True)` | Python/FastAPI | `FastAPI Security Documentation (input validation); OWASP API Security Top 10 (API8: Security Misconfiguration)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-013 pydantic arbitrary types allowed true в модели class rawmodel basemodel dangerous object config uploadmeta file name constr min length 1 -->
16
+ | FAS-014 | Background Task Exception Handling: задача без `try/except` | `def send_email_task(email: str, payload: dict[str, object]) -> None:`<br>` smtp_client.send(email, payload)`<br>`@app.post("/notify")`<br>`async def notify(background_tasks: BackgroundTasks):`<br>` background_tasks.add_task(send_email_task, "user@example.com", {"status": "ok"})`<br>` return {"queued": True}` | `def send_email_task(email: str, payload: dict[str, object]) -> None:`<br>` try:`<br>` smtp_client.send(email, payload)`<br>` except Exception as exc:`<br>` logger.exception("background task failed: %s", exc)`<br>`@app.post("/notify")`<br>`async def notify(background_tasks: BackgroundTasks):`<br>` background_tasks.add_task(send_email_task, "user@example.com", {"status": "ok"})`<br>` return {"queued": True}` | Python/FastAPI | `FastAPI Security Documentation (BackgroundTasks operational safety); OWASP API Security Top 10 (API10: Unsafe Consumption of APIs)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-014 background task exception handling задача без try except def send email str payload dict object none smtp client app post -->
17
+ | FAS-015 | Large Payload DoS: upload endpoint без лимита размера тела | `@app.post("/upload")`<br>`async def upload(file: UploadFile):`<br>` data = await file.read()`<br>` return {"size": len(data)}` | `MAX_BYTES = 5 * 1024 * 1024`<br>`@app.post("/upload")`<br>`async def upload(request: Request, file: UploadFile):`<br>` content_length = int(request.headers.get("content-length", "0"))`<br>` if content_length <= 0 or content_length > MAX_BYTES:`<br>` raise HTTPException(status_code=413, detail="payload too large")`<br>` data = await file.read(MAX_BYTES + 1)`<br>` if len(data) > MAX_BYTES:`<br>` raise HTTPException(status_code=413, detail="payload too large")`<br>` return {"size": len(data)}` | Python/FastAPI | `FastAPI Security Documentation (request validation & UploadFile handling); OWASP API Security Top 10 (API4: Unrestricted Resource Consumption)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-015 large payload dos upload endpoint без лимита размера тела app post async def file uploadfile data await read return size -->
18
+ | FAS-016 | Host/Header Injection: отсутствие валидации `Host` и `X-` заголовков | `@app.get("/tenant")`<br>`async def tenant_route(request: Request):`<br>` tenant = request.headers.get("x-tenant-id", "")`<br>` callback = f"https://{request.headers['host']}/cb/{tenant}"`<br>` return {"callback": callback}` | `ALLOWED_HOSTS = {"api.example.com", "admin.example.com"}`<br>`TENANT_RE = re.compile(r"^[a-z0-9-]{1,32}$")`<br>`@app.get("/tenant")`<br>`async def tenant_route(request: Request):`<br>` host = request.headers.get("host", "").split(":")[0].lower()`<br>` tenant = request.headers.get("x-tenant-id", "").strip().lower()`<br>` if host not in ALLOWED_HOSTS:`<br>` raise HTTPException(status_code=400, detail="invalid host")`<br>` if not TENANT_RE.fullmatch(tenant):`<br>` raise HTTPException(status_code=400, detail="invalid tenant header")`<br>` callback = f"https://{host}/cb/{tenant}"`<br>` return {"callback": callback}` | Python/FastAPI | `OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (trusted proxy/host header hardening)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-016 host header injection отсутствие валидации и x заголовков app get tenant async def route request headers id callback f https -->
19
+ | FAS-017 | Mass Assignment Protection: прямой маппинг DTO в DB-модель | `class UserUpdate(BaseModel):`<br>` email: str`<br>` is_admin: bool = False`<br>` balance: int = 0`<br>`@app.patch("/users/{user_id}")`<br>`async def patch_user(user_id: int, dto: UserUpdate):`<br>` await users.update(user_id=user_id, **dto.model_dump())`<br>` return {"ok": True}` | `class UserUpdateDTO(BaseModel):`<br>` email: EmailStr | Python/FastAPI | None = None`<br>`@app.patch("/users/{user_id}")`<br>`async def patch_user(user_id: int, dto: UserUpdateDTO):`<br>` allowed = dto.model_dump(exclude_none=True, include={"email", "display_name"})`<br>` await users.update(user_id=user_id, **allowed)`<br>` return {"ok": True}` | `OWASP API Security Top 10 (API3: Broken Object Property Level Authorization); FastAPI Production Readiness (strict input models)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-017 mass assignment protection прямой маппинг dto в db модель class userupdate basemodel email str is admin bool false balance int -->
20
+ | FAS-018 | Insecure File Uploads: нет защиты от path traversal и magic-bytes проверки | `@app.post("/files")`<br>`async def upload(file: UploadFile):`<br>` path = f"/data/uploads/{file.filename}"`<br>` content = await file.read()`<br>` with open(path, "wb") as f:`<br>` f.write(content)`<br>` return {"path": path}` | `UPLOAD_DIR = Path("/data/uploads").resolve()`<br>`ALLOWED_MAGIC = {`<br>` b"\\x89PNG\\r\\n\\x1a\\n": ".png",`<br>` b"\\xff\\xd8\\xff": ".jpg",`<br>` b"%PDF-": ".pdf",`<br>`}`<br>`@app.post("/files")`<br>`async def upload(file: UploadFile):`<br>` safe_name = Path(file.filename or "upload.bin").name`<br>` target = (UPLOAD_DIR / safe_name).resolve()`<br>` if not str(target).startswith(str(UPLOAD_DIR)):`<br>` raise HTTPException(status_code=400, detail="invalid path")`<br>` data = await file.read(5 * 1024 * 1024 + 1)`<br>` magic_ok = any(data.startswith(sig) for sig in ALLOWED_MAGIC)`<br>` if not magic_ok:`<br>` raise HTTPException(status_code=415, detail="unsupported file type")`<br>` with target.open("wb") as out:`<br>` out.write(data)`<br>` return {"file": safe_name}` | Python/FastAPI | `OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (secure file upload handling)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-018 insecure file uploads нет защиты от path traversal и magic bytes проверки app post files async def upload uploadfile f -->
21
+ | FAS-019 | Verbose Error Messages: возврат raw Exception в HTTP-ответ | `@app.get("/orders/{order_id}")`<br>`async def get_order(order_id: int):`<br>` try:`<br>` return await service.fetch(order_id)`<br>` except Exception as exc:`<br>` raise HTTPException(status_code=500, detail=str(exc))` | `@app.get("/orders/{order_id}")`<br>`async def get_order(order_id: int):`<br>` try:`<br>` return await service.fetch(order_id)`<br>` except DomainNotFoundError:`<br>` raise HTTPException(status_code=404, detail="order not found")`<br>` except Exception:`<br>` logger.exception("unexpected error in get_order")`<br>` raise HTTPException(status_code=500, detail="internal server error")` | Python/FastAPI | `OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (error handling and information disclosure)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-019 verbose error messages возврат raw exception в http ответ app get orders order id async def int try return await -->
22
+ | FAS-020 | Async Context Leakage: dependency без `yield/finally` не закрывает ресурсы (Logic: strong) | `async def get_db() -> AsyncGenerator[AsyncSession, None]:`<br>` session = session_factory()`<br>` yield session`<br>`@app.get("/users")`<br>`async def users(db: AsyncSession = Depends(get_db)):`<br>` return await repo.list_users(db)` | `async def get_db() -> AsyncGenerator[AsyncSession, None]:`<br>` session = session_factory()`<br>` try:`<br>` yield session`<br>` finally:`<br>` await session.close()`<br>`@app.get("/users")`<br>`async def users(db: AsyncSession = Depends(get_db)):`<br>` return await repo.list_users(db)` | Python/FastAPI | `OWASP API Security Top 10 (API4: Unrestricted Resource Consumption); FastAPI Production Readiness (dependency lifecycle with yield/finally)` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Propagate request context via `contextvars`/explicit args only; forbid mutable global context for tenant, auth, and transaction data. | <!-- semantic_anchor: fas-020 async context leakage dependency без yield finally не закрывает ресурсы def get db asyncgenerator asyncsession none session factory app users -->
23
+ | FAS-021 | OS Command Injection: shell-команда строится из пользовательского ввода | `@app.get("/diag")`<br>`async def diag(host: str):`<br>` ...`<br>` subprocess.run(f"nslookup {host}", shell=True, check=False)` | `HOST_RE = re.compile(r"^[a-zA-Z0-9.-]{1,255}$")`<br>`@app.get("/diag")`<br>`async def diag(host: str):`<br>` if not HOST_RE.fullmatch(host):`<br>` raise HTTPException(status_code=400, detail="invalid host")`<br>` ...`<br>` subprocess.run(["nslookup", host], shell=False, check=True)` | Python/FastAPI | `CWE-78` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-021 os command injection shell команда строится из пользовательского ввода app get diag async def host str subprocess run f nslookup -->
24
+ | FAS-022 | Unsafe Deserialization: `pickle.loads`/`yaml.load` на недоверенных данных | `@app.post("/import")`<br>`async def import_blob(payload: str):`<br>` ...`<br>` obj = pickle.loads(base64.b64decode(payload))` | `class ImportDTO(BaseModel):`<br>` kind: Literal["profile","settings"]`<br>` data: dict[str, object]`<br>`@app.post("/import")`<br>`async def import_blob(dto: ImportDTO):`<br>` ...`<br>` validated = ImportDTO.model_validate(dto.model_dump())` | Python/FastAPI | `CWE-502` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-022 unsafe deserialization pickle loads load на недоверенных данных app post import async def blob payload str obj base64 b64decode class -->
25
+ | FAS-023 | CSRF on Cookie Session: state-changing endpoint без CSRF-токена | `@app.post("/users/me/email")`<br>`async def change_email(req: dict, request: Request):`<br>` ...`<br>` session_id = request.cookies.get("session_id")`<br>` return await svc.change_email(session_id, req["email"])` | `@app.post("/users/me/email")`<br>`async def change_email(req: dict, request: Request):`<br>` csrf_cookie = request.cookies.get("csrf_token")`<br>` csrf_header = request.headers.get("x-csrf-token")`<br>` if not csrf_cookie or csrf_cookie != csrf_header:`<br>` raise HTTPException(status_code=403, detail="csrf check failed")`<br>` ...`<br>` return await svc.change_email(request.cookies.get("session_id"), req["email"])` | Python/FastAPI | `CWE-352` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-023 csrf on cookie session state changing endpoint без токена app post users me email async def change req dict request -->
26
+ | FAS-024 | SSTI: пользовательский шаблон рендерится на сервере | `@app.post("/render")`<br>`async def render(tpl: str, ctx: dict):`<br>` ...`<br>` return Template(tpl).render(**ctx)` | `SAFE_TEMPLATES = {"welcome.html", "invoice.html"}`<br>`@app.post("/render")`<br>`async def render(template_name: str, ctx: dict):`<br>` if template_name not in SAFE_TEMPLATES:`<br>` raise HTTPException(status_code=400, detail="template not allowed")`<br>` ...`<br>` return jinja_env.get_template(template_name).render(**ctx)` | Python/FastAPI | `CWE-1336` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-024 ssti пользовательский шаблон рендерится на сервере app post render async def tpl str ctx dict return template templates welcome html -->
27
+ | FAS-025 | Code Injection: выполнение пользовательского кода через `eval/exec` | `@app.post("/calc")`<br>`async def calc(user_input: str):`<br>` ...`<br>` return {"result": eval(user_input)}`<br>`...`<br>`exec(user_input)` | `ALLOWED_EXPR = re.compile(r"^[0-9+\\-*/(). ]{1,128}$")`<br>`@app.post("/calc")`<br>`async def calc(user_input: str):`<br>` if not ALLOWED_EXPR.fullmatch(user_input):`<br>` raise HTTPException(status_code=400, detail="invalid expression")`<br>` ...`<br>` return {"result": safe_eval_math(user_input)}` | Python/FastAPI | `CWE-94` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-025 injection выполнение пользовательского кода через eval exec app post calc async def user input str return result allowed expr re -->
28
+ | FAS-026 | Command Injection: небезопасный shell-вызов через `os.system`/`subprocess(..., shell=True)` | `@app.post("/ops/run")`<br>`async def run(cmd: str):`<br>` ...`<br>` os.system(cmd)`<br>`...`<br>`subprocess.run(cmd, shell=True)` | `@app.post("/ops/run")`<br>`async def run(action: str):`<br>` allowed = {"uptime": ["uptime"], "date": ["date"]}`<br>` if action not in allowed:`<br>` raise HTTPException(status_code=400, detail="action not allowed")`<br>` ...`<br>` subprocess.run(allowed[action], shell=False, check=True)` | Python/FastAPI | `CWE-78` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-026 command injection небезопасный shell вызов через os system subprocess true app post ops run async def cmd str action allowed -->
29
+ | FAS-027 | Unsafe Imports: динамический `__import__` из пользовательского ввода | `@app.get("/plugin")`<br>`async def plugin(mod: str):`<br>` ...`<br>` m = __import__(mod)`<br>` return {"module": str(m)}` | `SAFE_MODULES = {"json", "math"}`<br>`@app.get("/plugin")`<br>`async def plugin(mod: str):`<br>` if mod not in SAFE_MODULES:`<br>` raise HTTPException(status_code=400, detail="module not allowed")`<br>` ...`<br>` m = importlib.import_module(mod)` | Python/FastAPI | `CWE-470` | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-027 unsafe imports динамический import из пользовательского ввода app get plugin async def mod str m return module modules json math -->
30
+ | FAS-028 | Excessive Data Exposure: `response_model` equals DB model without excluding sensitive fields | `@app.get("/users/{id}", response_model=UserModel)`<br>`async def get_user(id: int):`<br>` return user` | Использовать отдельные публичные DTO и `response_model_exclude`/`response_model_include` для исключения `password_hash`, `tokens`, `secret` полей. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
31
+ | FAS-029 | Verbose error disclosure in custom `exception_handler` via `str(exc)` / `repr(exc)` | `return JSONResponse({"detail": str(exc)})` | Возвращать generic error message в production, детали логировать только на сервере; показывать raw error только при `settings.DEBUG=True`. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
32
+ | FAS-030 | Unsafe `FileResponse` path from user input discloses internal filesystem paths | `return FileResponse(user_path)` | Нормализовать/ограничивать путь в allowlist директории и отдавать безопасные download names без утечки абсолютного пути. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
33
+ | FAS-031 | CSV Injection in export endpoints: user cells written without formula neutralization (CWE-1236) | `writer.writerow([user.name, user.comment])` | Перед экспортом экранировать ячейки, начинающиеся с `=`, `+`, `-`, `@` (например, префикс `'`) и валидировать поля CSV. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий присылает файл/строку с ячейкой вроде =SUM(1+1) cmd\|' /C calc'!A0; при открытии в Excel формула может выполнить команду на машине жертвы (CWE-1236). | <!-- semantic_anchor: fas-031 csv injection excel formula cwe-1236 -->
34
+ | FAS-032 | Production logs expose full debug exception payloads (CWE-1295) | `logger.error("debug=%s", traceback.format_exc())` | Разделить debug/prod logging policy: в production логировать error-id и sanitized reason без stack/locals dump. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
35
+ | FAS-033 | CSV export builds rows from raw query params without sanitization (CWE-1236) | `csv_line = f"{request.query_params['name']},{request.query_params['note']}"` | Формировать CSV через безопасный writer + cell sanitizer и запрет dangerous formula prefixes для untrusted fields. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
36
+ | FAS-034 | FastAPI middleware prints request/response debug internals in production (CWE-1295) | `logger.debug("headers=%s body=%s", req.headers, body)` | Ограничивать debug logging по environment flag и применять redaction/masking для чувствительных полей. | Python/FastAPI | CWE Final Certification | Use strict Pydantic BaseModel schemas for input/output, including response_model and field allowlists. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
37
+ | FAS-035 | Paladin: утечка `UserAuthData` (password_hash, internal_id) в JSON ответе (CWE-201) | `return {"user": user_auth_data.model_dump()}` | Отдельный `response_model` / DTO с `exclude`/`model_config` (fields set); никогда не сериализовать `PasswordHash`/`InternalId`. | Python/FastAPI | `CWE-201` | Use Pydantic response models with explicit field exclusions; map domain entities to public DTOs only. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: fas-035 paladin userauthdata passwordhash internal json leak -->
38
+ | V13F-001 | ASVS V13 Compliance: FastAPI endpoint lacks strict `Content-Type` enforcement (Compliance: ASVS-V13) | `@app.post("/api")`<br>`async def create(req: dict):`<br>` return req` | `if request.headers.get("content-type") != "application/json":`<br>` raise HTTPException(status_code=415)` | Python/FastAPI | Compliance: ASVS-V13 | Enforce strict media type allowlist in dependency/middleware. |
39
+ | V13F-002 | ASVS V13 Compliance: unexpected charset accepted for JSON body (Compliance: ASVS-V13) | `ctype = request.headers.get("content-type","")`<br>`if "application/json" in ctype: parse()` | `ctype = request.headers.get("content-type","")`<br>`if ctype != "application/json; charset=utf-8": raise HTTPException(status_code=415)` | Python/FastAPI | Compliance: ASVS-V13 | Validate charset and fail closed. |
40
+ | V13F-003 | ASVS V13 Compliance: request parser auto-fallback from invalid content type (Compliance: ASVS-V13) | `data = await request.json()` | `if request.headers.get("content-type") != "application/json; charset=utf-8":`<br>` raise HTTPException(status_code=415)`<br>`data = await request.json()` | Python/FastAPI | Compliance: ASVS-V13 | Gate JSON parser by explicit header check. |
41
+ | V13F-004 | ASVS V13 Compliance: Pydantic model allows unknown fields by default (Compliance: ASVS-V13) | `class DTO(BaseModel): ...` | `model_config = ConfigDict(extra="forbid", strict=True)` | Python/FastAPI | Compliance: ASVS-V13 | Forbid additional properties to prevent mass assignment. |
42
+ | V13F-005 | ASVS V13 Compliance: nested DTOs miss `extra="forbid"` (Compliance: ASVS-V13) | nested models default permissive | apply `extra="forbid"` to all nested request models | Python/FastAPI | Compliance: ASVS-V13 | Harden nested schema constraints. |
43
+ | V13F-006 | ASVS V13 Compliance: PATCH accepts arbitrary dict merged into entity (Compliance: ASVS-V13) | `payload: dict` then `update(**payload)` | use typed patch model with allowlisted fields | Python/FastAPI | Compliance: ASVS-V13 | Prevent over-posting/mass assignment. |
44
+ | V13F-007 | ASVS V13 Compliance: response missing `X-Content-Type-Options: nosniff` (Compliance: ASVS-V13) | no `nosniff` header middleware | add global middleware setting `X-Content-Type-Options=nosniff` | Python/FastAPI | Compliance: ASVS-V13 | Enforce nosniff on all responses. |
45
+ | V13F-008 | ASVS V13 Compliance: response missing strict CSP for docs/static (Compliance: ASVS-V13) | docs served without CSP | add CSP header policy for docs/static endpoints | Python/FastAPI | Compliance: ASVS-V13 | Add strict Content-Security-Policy. |
46
+ | V13F-009 | ASVS V13 Compliance: HTTPS API missing HSTS header (Compliance: ASVS-V13) | no `Strict-Transport-Security` | set HSTS globally behind TLS | Python/FastAPI | Compliance: ASVS-V13 | Add HSTS at app/proxy layer. |
47
+ | V13F-010 | ASVS V13 Compliance: header middleware bypass for exception responses (Compliance: ASVS-V13) | headers only set in success path | ensure security headers on all status codes | Python/FastAPI | Compliance: ASVS-V13 | Apply headers in top-level middleware/ASGI. |
48
+ | V13F-011 | ASVS V13 Compliance: OpenAPI JSON served with permissive media negotiation (Compliance: ASVS-V13) | fallback content types for `/openapi.json` | force `application/json; charset=utf-8` | Python/FastAPI | Compliance: ASVS-V13 | Pin content type and charset. |
49
+ | V13F-012 | ASVS V13 Compliance: file upload endpoint accepts JSON unexpectedly (Compliance: ASVS-V13) | mixed parsers without strict media check | split endpoints by explicit media type | Python/FastAPI | Compliance: ASVS-V13 | Explicitly scope accepted media types. |
50
+ | V13F-013 | ASVS V13 Compliance: schema validation disabled for speed on critical endpoint (Compliance: ASVS-V13) | raw dict processing bypassing model validation | always validate input against strict models | Python/FastAPI | Compliance: ASVS-V13 | Never skip validation on external input. |
51
+ | V13F-014 | ASVS V13 Compliance: custom decoder accepts duplicate keys silently (Compliance: ASVS-V13) | permissive JSON decode | reject duplicate keys in request JSON | Python/FastAPI | Compliance: ASVS-V13 | Enable strict JSON parser behavior. |
52
+ | V13F-015 | ASVS V13 Compliance: untyped `Any` fields in auth-sensitive DTOs (Compliance: ASVS-V13) | `metadata: dict[str, Any]` | replace with strict typed sub-model | Python/FastAPI | Compliance: ASVS-V13 | Remove `Any` in critical request schemas. |
53
+ | V13F-016 | ASVS V13 Compliance: endpoint consumes both form and JSON without separation (Compliance: ASVS-V13) | ambiguous parsers on one route | separate routes and enforce single media type | Python/FastAPI | Compliance: ASVS-V13 | Avoid parser ambiguity. |
54
+ | V13F-017 | ASVS V13 Compliance: gateway/proxy strips app-set CSP/HSTS headers (Compliance: ASVS-V13) | missing upstream header preservation | enforce headers at edge and app layer | Python/FastAPI | Compliance: ASVS-V13 | Defense in depth for security headers. |
55
+ | V13F-018 | ASVS V13 Compliance: no `additionalProperties=false` equivalent for query-object parser (Compliance: ASVS-V13) | parse dynamic query object | map query params to strict model only | Python/FastAPI | Compliance: ASVS-V13 | Forbid unknown query fields in object parsers. |
56
+ | V13F-019 | ASVS V13 Compliance: response content-type mismatch in exception handler (Compliance: ASVS-V13) | plain text details for JSON API errors | return structured JSON error with proper media type | Python/FastAPI | Compliance: ASVS-V13 | Normalize API error format/content type. |
57
+ | V13F-020 | ASVS V13 Compliance: no centralized V13 policy test for API headers/content rules (Compliance: ASVS-V13) | ad hoc per-endpoint checks | central middleware + integration tests for V13 controls | Python/FastAPI | Compliance: ASVS-V13 | Enforce global policy and regression tests. |
58
+
59
+
60
+ | PYX-201 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
61
+ | PYX-202 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
62
+ | PYX-203 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
63
+ | PYX-204 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
64
+ | PYX-205 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
65
+ | PYX-206 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
66
+ | PYX-207 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
67
+ | PYX-208 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
68
+ | PYX-209 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
69
+ | PYX-210 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
70
+ | PYX-211 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
71
+ | PYX-212 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
72
+ | PYX-213 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
73
+ | PYX-214 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
74
+ | PYX-215 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
75
+ | PYX-216 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
76
+ | PYX-217 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
77
+ | PYX-218 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
78
+ | PYX-219 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
79
+ | PYX-220 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
80
+ | PYX-221 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
81
+ | PYX-222 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
82
+ | PYX-223 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
83
+ | PYX-224 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
84
+ | PYX-225 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
85
+ | PYX-226 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
86
+ | PYX-227 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
87
+ | PYX-228 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
88
+ | PYX-229 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
89
+ | PYX-230 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
90
+ | PYX-231 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
91
+ | PYX-232 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
92
+ | PYX-233 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
93
+ | PYX-234 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
94
+ | PYX-235 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
95
+ | PYX-236 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
96
+ | PYX-237 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
97
+ | PYX-238 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
98
+ | PYX-239 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
99
+ | PYX-240 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
100
+ | PYX-241 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
101
+ | PYX-242 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
102
+ | PYX-243 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
103
+ | PYX-244 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
104
+ | PYX-245 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
105
+ | PYX-246 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
106
+ | PYX-247 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
107
+ | PYX-248 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
108
+ | PYX-249 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
109
+ | PYX-250 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
110
+ | PYX-251 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
111
+ | PYX-252 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
112
+ | PYX-253 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
113
+ | PYX-254 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
114
+ | PYX-255 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
115
+ | PYX-256 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
116
+ | PYX-257 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
117
+ | PYX-258 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
118
+ | PYX-259 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
119
+ | PYX-260 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
120
+ | PYX-261 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
121
+ | PYX-262 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
122
+ | PYX-263 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
123
+ | PYX-264 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
124
+ | PYX-265 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
125
+ | PYX-266 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
126
+ | PYX-267 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
127
+ | PYX-268 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
128
+ | PYX-269 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
129
+ | PYX-270 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
130
+ | PYX-271 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
131
+ | PYX-272 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
132
+ | PYX-273 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
133
+ | PYX-274 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
134
+ | PYX-275 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
135
+ | PYX-276 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
136
+ | PYX-277 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
137
+ | PYX-278 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
138
+ | PYX-279 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
139
+ | PYX-280 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
140
+ | PYX-281 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
141
+ | PYX-282 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
142
+ | PYX-283 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
143
+ | PYX-284 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
144
+ | PYX-285 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
145
+ | PYX-286 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
146
+ | PYX-287 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
147
+ | PYX-288 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
148
+ | PYX-289 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
149
+ | PYX-290 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
150
+ | PYX-291 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
151
+ | PYX-292 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
152
+ | PYX-293 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
153
+ | PYX-294 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
154
+ | PYX-295 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
155
+ | PYX-296 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
156
+ | PYX-297 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
157
+ | PYX-298 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
158
+ | PYX-299 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
159
+ | PYX-300 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
160
+ | PYX-301 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
161
+ | PYX-302 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
162
+ | PYX-303 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
163
+ | PYX-304 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
164
+ | PYX-305 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
165
+ | PYX-306 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
166
+ | PYX-307 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
167
+ | PYX-308 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
168
+ | PYX-309 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
169
+ | PYX-310 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
170
+ | PYX-311 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
171
+ | PYX-312 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
172
+ | PYX-313 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
173
+ | PYX-314 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
174
+ | PYX-315 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
175
+ | PYX-316 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
176
+ | PYX-317 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
177
+ | PYX-318 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
178
+ | PYX-319 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
179
+ | PYX-320 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
180
+ | PYX-321 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
181
+ | PYX-322 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
182
+ | PYX-323 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
183
+ | PYX-324 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
184
+ | PYX-325 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
185
+ | PYX-326 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
186
+ | PYX-327 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
187
+ | PYX-328 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
188
+ | PYX-329 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
189
+ | PYX-330 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
190
+ | PYX-331 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
191
+ | PYX-332 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
192
+ | PYX-333 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
193
+ | PYX-334 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
194
+ | PYX-335 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
195
+ | PYX-336 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
196
+ | PYX-337 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
197
+ | PYX-338 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
198
+ | PYX-339 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
199
+ | PYX-340 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
200
+ | PYX-341 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
201
+ | PYX-342 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
202
+ | PYX-343 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
203
+ | PYX-344 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
204
+ | PYX-345 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
205
+ | PYX-346 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
206
+ | PYX-347 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
207
+ | PYX-348 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
208
+ | PYX-349 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
209
+ | PYX-350 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
210
+ | PYX-351 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
211
+ | PYX-352 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
212
+ | PYX-353 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
213
+ | PYX-354 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
214
+ | PYX-355 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
215
+ | PYX-356 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
216
+ | PYX-357 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
217
+ | PYX-358 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
218
+ | PYX-359 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
219
+ | PYX-360 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
220
+ | PYX-361 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
221
+ | PYX-362 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
222
+ | PYX-363 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
223
+ | PYX-364 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
224
+ | PYX-365 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
225
+ | PYX-366 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
226
+ | PYX-367 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
227
+ | PYX-368 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
228
+ | PYX-369 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
229
+ | PYX-370 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
230
+ | PYX-371 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
231
+ | PYX-372 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
232
+ | PYX-373 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
233
+ | PYX-374 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
234
+ | PYX-375 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
235
+ | PYX-376 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
236
+ | PYX-377 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
237
+ | PYX-378 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
238
+ | PYX-379 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
239
+ | PYX-380 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
240
+ | PYX-381 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
241
+ | PYX-382 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
242
+ | PYX-383 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
243
+ | PYX-384 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
244
+ | PYX-385 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
245
+ | PYX-386 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
246
+ | PYX-387 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
247
+ | PYX-388 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
248
+ | PYX-389 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
249
+ | PYX-390 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
250
+ | PYX-391 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
251
+ | PYX-392 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
252
+ | PYX-393 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
253
+ | PYX-394 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
254
+ | PYX-395 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
255
+ | PYX-396 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
256
+ | PYX-397 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
257
+ | PYX-398 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
258
+ | PYX-399 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
259
+ | PYX-400 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
260
+ | PYX-401 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
261
+ | PYX-402 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
262
+ | PYX-403 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
263
+ | PYX-404 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
264
+ | PYX-405 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
265
+ | PYX-406 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
266
+ | PYX-407 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
267
+ | PYX-408 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
268
+ | PYX-409 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
269
+ | PYX-410 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
270
+ | PYX-411 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
271
+ | PYX-412 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
272
+ | PYX-413 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
273
+ | PYX-414 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
274
+ | PYX-415 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
275
+ | PYX-416 | FastAPI Depends auth bypass on object route (Logic: strong) | `def get_order(order_id: int, user = Depends(optional_user)): return repo.get(order_id)` | `def get_order(order_id: int, user = Depends(require_user)): return repo.get_for_owner(order_id, user.id)` | Python/FastAPI | CWE-639 | Autofix: enforce owner-scoped query in Depends chain and deny by default. | IDOR/BOLA via permissive dependency allows cross-tenant object reads. |
276
+ | PYX-417 | Django mass assignment via ModelForm fields = __all__ (Logic: strong) | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = '__all__'` | `class UserUpdateForm(ModelForm): class Meta: model = User; fields = ['display_name', 'email']` | Python/Django | CWE-915 | Autofix: replace broad field binding with explicit allowlist fields. | Attacker updates privileged attributes like is_staff or balance. |
277
+ | PYX-418 | Celery untrusted deserialization of task payload | `obj = pickle.loads(task_payload)` | `obj = json.loads(task_payload)` | Python/Celery | CWE-502 | Autofix: replace pickle with JSON and validate schema before use. | Crafted payload triggers gadget execution during task processing. |
278
+ | PYX-419 | Django ORM filter built from raw user field (IDOR logic: strong) | `qs = Invoice.objects.filter(user_id=request.GET['user_id'])` | `qs = Invoice.objects.filter(user=request.user)` | Python/Django | CWE-639 | Autofix: bind ORM queries to authenticated principal instead of user-supplied IDs. | User-supplied identifier enumerates other users invoices. |
279
+ | PYX-420 | FastAPI insecure dynamic object merge into domain model | `for k, v in payload.items(): setattr(model, k, v)` | `for k in ('display_name', 'timezone'): setattr(model, k, payload[k])` | Python/FastAPI | CWE-915 | Autofix: introduce field allowlist before model mutation. | Dynamic attribute merge can overwrite protected model state. |
280
+ | IFF-001 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
281
+ | IFF-002 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
282
+ | IFF-003 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
283
+ | IFF-004 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
284
+ | IFF-005 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
285
+ | IFF-006 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
286
+ | IFF-007 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
287
+ | IFF-008 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
288
+ | IFF-009 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
289
+ | IFF-010 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
290
+ | IFF-011 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
291
+ | IFF-012 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
292
+ | IFF-013 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
293
+ | IFF-014 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
294
+ | IFF-015 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
295
+ | IFF-016 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
296
+ | IFF-017 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
297
+ | IFF-018 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
298
+ | IFF-019 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
299
+ | IFF-020 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
300
+ | IFF-021 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
301
+ | IFF-022 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
302
+ | IFF-023 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
303
+ | IFF-024 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
304
+ | IFF-025 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
305
+ | IFF-026 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
306
+ | IFF-027 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
307
+ | IFF-028 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
308
+ | IFF-029 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
309
+ | IFF-030 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
310
+ | IFF-031 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
311
+ | IFF-032 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
312
+ | IFF-033 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
313
+ | IFF-034 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
314
+ | IFF-035 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
315
+ | IFF-036 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
316
+ | IFF-037 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
317
+ | IFF-038 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
318
+ | IFF-039 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
319
+ | IFF-040 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
320
+ | IFF-041 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
321
+ | IFF-042 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
322
+ | IFF-043 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
323
+ | IFF-044 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
324
+ | IFF-045 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
325
+ | IFF-046 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
326
+ | IFF-047 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
327
+ | IFF-048 | Python/FastAPI: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Python/FastAPI | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
328
+ | IFF-049 | Python/FastAPI: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Python/FastAPI | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
329
+ | IFF-050 | Python/FastAPI: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Python/FastAPI | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |